The mailing list for listmasters using Sympa

[David Verdin <address@concealed>]

Hi guys,

Le 14/12/11 06:32, Nestor Oviedo a écrit :
> Hi all!
> I have a Sympa 6.1b.4 and I'm facing two big problems with the archive 
> section. Maybe someone can help me on this. I'll try to resume the issue.
> When a user sends a message in HTML format, with images embedded, 
> MHonArc archives it and generates the msgxxx.html file and many 
> jpg[random].jpg files (all in the same directory).
>
> The first problem is MHonArc doesn't seems to be considering the css 
> file referenced in the html head section; i.e. the msgxxx.html file 
> doesn't contain any reference to the css file. The obvious consequence 
> is the message presentation in Sympa Archive section is broken.
Yes, actually that one is a feature. Any user-generated content in the 
web interface is escaped if it refers to a ressource outside the server. 
This is all part of the XSS prevention.
I'm struggling to make this behaviour configurable but it is not easy, 
due to the large amount of factors to configure.
Work in - slow - progress. Once it is done, you just have to rebuild 
your archives and everything will be displayed as you like.
> The second problem is related with the session_id renewal process made 
> in SympaSession.pm (invoked from wwsympa.fcgi). MHonArc replaces the 
> "src" attribute from all the embedded <img> elements in the 
> msgxxx.html with the jpg[random].jpg filename generated. When the 
> message is displayed in the Sympa Archive section, the browser makes a 
> request for every <img> element to an URL like 
> http://[host]/arc/[list]/[year-month]/jpg[random].jpg, and that is a 
> "do_archive" action in the wwsympa.fcgi for the image.
> The problem is that the image requests are very close one to another 
> and that doesn't allow the browser to update the sympa_session cookie 
> with the renewed session_id (it sends the previous seesion_id).
> The log shows the line "SympaSession::new ignoring unknown session 
> cookie 'xxxxx'" (where xxxxx is the previous seesion_id).
> Because of this, the server creates a new empty session, and instead 
> retrieves the "I'm not a spammer" page. Also, if the user is logged 
> in, it is logged out.
OK, that one is a real Sympa bug.
The only solution I see is to place the archives in the static content 
repository (they ARE static data once they have been generated). Request 
to the static content are not submitted to session renewal as far as I 
remember.
This however requires a bit of work and won't be made available to the 
6.1 branch, due to the unstabilization it would induce.

Cheers,

David
> I have no clue for the first problem. For the second I've thinking in 
> make some modification to the MHonArc archival process to specificy 
> the "-attachmenturl" parameter and then use the mod_alias or 
> mod_rewrite module from apache in order to "bypass" the "do_arc" action.
>
> Any clue? any idea?
>
> Thanks in advance!
> Nestor